Hello pf,
I've go a firewall/nat machine for my company. We'd been asigned a
/32 so we asked for a /29. But our ISP was so stupid that instead of
routing the /29 to our /32 they are taking back the /32 and the new
default gateway is within the /29 (bastards!). But that's not the
point. I have to make the transition. Since the glries of DNS have a
latency of at least a week (yep, I've already lowered the TTL to 1
hour, but I guess most dns resolvers might be broken) I want to have
both running for a while together.
I will describe the problem. But I haven't actually implemented it. So
I'm mistaken and this actuaally works you can flame me at will:). The
problem is the following:
-IP packet comes to mail server through IP_old.
-Gets RDR to IP_server.
-Server responds through firewall.
-It gets RDR back to IP_old.
-It gets forwarded to it's default gateway: IP_new_gw.
-IP_new_gw doesn't knows about IP_old.
-BAM!
Other prossible solution.
-To have both firewalls running concurrently, FW_new and FW_old.
-Server has default gateway FW_new (internal IP).
-IP packet comes to mail server through IP_old.
-Gets RDR to IP_server.
-Server responds through FW_new.
-BAM!
I think I could assign two local IPs to the server so I could try:
nat on $ext_if inet from <intnets> to any -> $ext_addr
rdr on $ext_if inet proto tcp from any to $new_ip port 25 -> \
$mail_ip
rdr on $ext_if inet proto tcp from any to $old_ip port 25 -> \
$mail_ip2
pass in quick on $ext_if reply-to $old_gw_ip inet proto tcp from any \
to $old_ip port 25 keep state
pass in quick on $ext_if inet proto tcp from any to $old_ip port 25 \
keep state
block on quick $ext_if from any to any
Seems reasonable?
--
Best regards,
Alejandro Belluscio
